The New York State Office of the Attorney General (NY OAG) has warned 17 well-known companies that roughly 1.1 million of their customers have had their user accounts compromised in credential stuffing attacks.
In such attacks, threat actors make automated and repeated attempts (millions at a time) to access user accounts using credentials (usually user/password pairs) stolen from other online services.
This tactic works particularly well against the accounts of those who reuse their credentials across multiple platforms.
The attackers’ end goal is to gain access to as many accounts as possible to steal the associated personal and financial information that can be sold on hacking forums or the dark web.
The threat actors can also use the info themselves in various identity theft scams or make unauthorized purchases.
NY OAG discovered these compromised online accounts after a “sweeping investigation” over several months after monitoring multiple online communities dedicated to sharing validated credentials harvested in previously undetected credential stuffing attacks.
“After reviewing thousands of posts, the OAG compiled login credentials for customer accounts at 17 well-known companies, which included online retailers, restaurant chains, and food delivery services,” NY OAG said today.
“In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks.
“Following discovery of the attacks, the Office of the Attorney General (OAG) alerted the relevant companies so that passwords could be reset and consumers could be notified.”
Digital Shadows also reported last year that report more than 15 billion credentials are currently being shared or sold online, most of them belonging to consumers.
This massive cache of circulating compromised credentials is behind a recent rise in credential stuffing attacks.
“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said New York Attorney General Letitia James.
“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”
Today, NY OAG also published a report providing further details on its credential stuffing investigation and how companies can protect their customers and respond to such incidents.
For instance, companies are advised to implement bot detection services, multi-factor authentication, and password-less authentication and monitor customer traffic for signs of attacks (e.g., spikes in traffic volume or failed login attempts).